Extracted

• • Target

    Excellent2.0.exe

  • Size

    61KB

  • MD5

    b5cb5c0b4b3f5bbf0056a7abcd2574f9

  • SHA1

    681b26cbbb2b290aa94a93523bc5e9960c72c538

  • SHA256

    76e2288825cf5185b61022a16fcddd285c51eda1cbe32d62f658d277b24f378b

  • SHA512

    9340e7f9c03597f3eb9e6f9eaa457959289aac0f6e6b969e457e7290a215de0a318ab194ffaf3d4d8929e905055e2b1c352fe8fea3e2dccc0824b556ade66c5f

  • SSDEEP

    1536:ochGo/XyaRwm5I/QZyR3+bRo8DeLw6gOMdbLyRhk:o2qmbq3+bRo5uO8buRhk

  Score

  10^/10

  xwormexecutionpersistencerattrojan

  • Detect Xworm Payload

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Xworm family

    xworm

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Adds Run key to start application

    persistence
  behavioral1